Just something whacky to get you thinking. At least it got me pulling apart my hair, and now, I'm half bald.

Sunday, March 06, 2011

HTTPS for all browsing

I've been thinking about using HTTPS for everything (even sites that don't support HTTPS) by routing all my traffic through a proxy that makes connections to the actual site (possibly on HTTP). This at least secures my traffic from packet sniffing on the local LAN.

What this means is that if you are at school or office, no colleague can run Wireshark or TCPDump on the the local LAN and capture/sniff your traffic. Also, you can now safely browse the web over http on insecure/potentially sniffed networks such as stray wireless networks without having to worry about your data being compromised! Welcome starbucks internet :-p

Traditionally, if the browser connects directly to a public proxy, then HTTP traffic still goes unencrypted (to the best of my understanding). Hence, this is what I've thought of doing.

Set up a local proxy on the same machine, which connects to a remote proxy over HTTPS.

Ensure that the remote proxy is running on a safe/trusted network (it could be your home PC if you want to use insecure wireless networks securely)

This remote proxy can now make HTTP connections and the issue of local packet sniffing is resolved.

However, it doesn't prevent remote packet sniffing (on the network where the remote proxy resides), which is why it is important to have the remote proxy sitting on a secure network.

If you are seriously planning to use this proxy, and you aren't yet using HTTPS Everywhere, I would strongly suggest that you start using it since it will reduce the load on the proxy and is more secure (since the encryption is end-to-end and not proxy-to-end).

Mamma says that there shall be a day when browsers pop up a warning when you view an http based page (as opposed to an https based one).

So, the local-proxy.js will run on your local machine, whereas remote-proxy.js will be running on a trusted remote machine that is outside the network you are currently on (the untrusted network).

Check this link for a nice discussion on the topic (very informative): http://www.reddit.com/r/programming/comments/fzu0c/ive_created_an_https_based_proxy_for_relatively/

It seems that the core of the idea can be implemented using standard tools such as ssh. However, I am also working on more privacy features such as removing the referer header, etc... You can also try firefox add-ons that accomplish these goals.